14 DAY TRIAL // The investigation of last year’s OkCupid security incident is over and the findings showed that there were no encryption mechanisms in place to protect the sensitive information of the 254,000 users whose info was stolen.
The Australian Privacy Commissioner, Timothy Pilgrim, concluded that Cupid Media, the company administrating the OkCupid dating site, did not comply with the Privacy Act 1988 that compelled it to secure the personal information stored on its systems.
Back in January 2013, the administrators at Cupid Media took notice that a hacker had attempted to gain access to a table in its databases. The immediate response actions included patching the exploited vulnerability to prevent future unauthorized access.
When the company determined that the vulnerability had been in ColdFusion, it obtained the patch and applied it immediately to all its servers. An external ColdFusion security contractor was also engaged in making sure that the security flaw had been fixed and that the respective ColdFusion installation complied with the best practice standards.
The information the hacker stole included full name, date of birth, email addresses, and passwords.
This would allow an attacker to find more details about the victim, like racial or ethnic origin, religious beliefs or affiliations, or sexual preferences or practices.
“Personal information includes ‘sensitive information.’ The Privacy Act's definition of ‘sensitive information’ prior to 12 March 2014 included information or an opinion about an individual's racial or ethnic origin religious beliefs or affiliations or sexual preferences or practices,” says the report.
Cupid Media runs a total of 35 dating websites that are categorized “African dating,” “Asian dating,” “Latin dating,” “gay and lesbian dating,” “special interest,” and “religion.”
At that time, the password protection measures in effect consisted of an account lockout policy and enforcement of strong password policies on all servers. However, none of the passwords benefited from encryption and all were available in plain text.
Hashing and salting sensitive information such as passwords is an effective measure to secure storage of the data and mitigating the risk for users in case of a security breach.
The report says that the actions taken by CupidMedia to contain the data breach included notification of the affected users that the password had been reset and analysis of the server logs to determine the hack method used by the attacker.
As a security measure, the Commissioner advises users of dating sites to update privacy settings and change passwords on a regular basis, as well as to be careful about the personal information they share so as to avoid becoming victim of identity theft or online scams.